PCI DSS Version 3.2 released

The Payment Card Industry Data Security Standard – PCI DSS – is fundamental to much of the work we undertake with clients. First published in December 2004 in the wake of the Enron scandal,  PCI DSS consolidated the security standards being enforced by Visa, MasterCard, American Express, JCB and Discover. It is applicable to all businesses that Store, Process or Transmit payment card data, and compliance is enforced by the card schemes, through Payment Service Providers. Failure to comply can result in the card schemes levying unfavourable or punitive transaction rates on non-compliant merchants, or ultimately the card schemes could withdraw payment capabilities. Version 3.2, published today, places increased emphasis on rules for data access, criteria for ongoing compliance programmes, and a renewed emphasis on the need to migrate to a more secure web protocols. The old standard – Version 3.1 – will be retired in December 2016 and after that date all PCI DSS assessments will be made against the new standard. The major changes that the new standard bring in are: Data Access The new data access rules will mean that enhanced, multi-factor, authentication will be required for all employees who can amend systems that contain card data – User ID and Password will no longer cut it. There’s a direction here, how long before all access to the Cardholder Data Environment will require such credentials? Ongoing Compliance Programmes The new standard incorporates “Designated Entities Supplemental Validation” (DESV) – which Troy Leach of the PCI Security Standards Council describes DESV as “a set of criteria that can help service providers and others address key challenges in maintaining ongoing security efforts to protect payments....

Compliance3 advises contact centres on ways to tackle fraud in 2015

Experts Compliance3 highlight the technologies and processes continuously overlooked by contact centres which ensure card payment security By SLS Marketing – 22 Oct 15 London, 15th January 2015: Compliance3, a company that helps contact centres achieve and maintain PCI DSS compliance, has highlighted the technologies and processes contact centres should implement in 2015 to reduce the increasing risk of breaches, reputational damage and revenue loss. Ensuring card data is not ‘captured’: allowing card data to enter the business environment when exchanging data with trusting customers for payments, renders the merchant liable to extensive, expensive PCI DSS compliance obligations. Ideally, card data needn’t enter the business environment. Legacy recordings: using pause/ resume technologies to pause call recordings at the point of payment will allow card details to be provided to the advisor by the customer but they should prevent their storage, however many of these technologies are dependent on the advisor and are notoriously unreliable, meaning that many merchants may be storing card data unnecessarily. Implementing payment technologies such as DTMF  or IVR: DTMF(Dual Tone Multi Frequency) uses the frequencies from handset keypad tones to determine which numbers have been entered, and IVR (Interactive Voice Response) is a voice-response technology that achieves the same purpose. Both solutions eradicate the risk of allowing the agent to capture card details. Applying the full PCI DSS programme: version 3.0 became mandatory from January 2015 and enables a business to be fully compliant with all card scheme requirements. Contact centres from small, niche operations to those representing major high street brands, despite a steep increase in “card not present” fraud, still need to embrace the...